On Thursday 02 June 2005 13:50, Steve Furlong wrote: > On 5/31/05, Ian G <[EMAIL PROTECTED]> wrote: > > I don't agree with your conclusion that hiding algorithms > > is a requirement. I think there is a much better direction: > > spread more algorithms. If everyone is using crypto then > > how can that be "relevant" to the case? > > This is so, in the ideal. But "if everyone would only..." never seems > to work out in practice. Better to rely on what you can on your own or > with a small group.
The number of people who are involved is actually quite small if you think it through. It's more a shift in attitude that is the barrier, not a large number of people who have to be sold. GPG is an application that could be delivered by default in all free OSs. BSD is more or less installed automatically with SSH installed. Linux machines that are set up are also generally set up with SSH. From there it isn't a large step conceptually to install GPG in the base installs. Start with the BSDs (because they understand security) and Linux (because they understand cool). It's also not a large step to add a special hook into SSH and browsers to add a simple file encryption utility. Just like OpenPGP's secret key mode. It doesn't have to be good, it just has to be there. A lot of machines have OpenSSL in them (this is how we get easy access to SHA1). Can we add a simple file encrypt to that? Once all the Unixen have these, the next step is to encourage a little usage... All you need to do is have one person that you communicate with like your brother or sister for the fun of doing some crypto chat, and it now becomes a regular *non-relevant* issue. All we need to do is to encrypt and protect one file and encryption becomes easy. > In response to Hadmut's question, for instance, I'd hide the crypto > app by renaming the executable. This wouldn't work for a complex app > like PGP Suite but would suffice for a simple app. Rename the > encrypted files as well and you're fairly safe. (I've consulted with > firms that do disk drive analysis. From what I've seen, unless the > application name or the data file extensions are in a known list, they > won't be seen. But my work has been in the realm of civil suits, > contract disputes, SEC claims, and the like; the investigators might > be more thorough when trying to nail someone for kiddie porn.) Right. If they find any evidence of "information hiding" other than a boring OpenPGP install that is as common as crazy frog mp3s then that's what I'd call "highly relevent" evidence. That would make matters worse for the particular case at hand. Information hiding is real sexy. I wouldn't recommend it for anyone who isn't really sure of their situation, and is willing to understand that if he gets caught with it, he's dead. > Or use another app which by the way has crypto. Winzip apparently has > some implementation flaws > (http://www.cse.ucsd.edu/users/tkohno/papers/WinZip/ ) but a quick > google doesn't show anything but brute force and dictionary attacks > against WinRar. Certainly using another app is fine. What would be more relevant to the direct issue is that it becomes routine to encrypt and to have encryption installed. See the recent threads on where all the data is being lost - user data is being lost simply because the companies don't protect it. Why aren't they protecting it? Because there are no easy tools that are built in to automatically and easily protect it. The picture here is becoming overwhelmingly clear - in order to protect users we should be employing as much crypto as we can openly, opportunistically, and easily. Anything that holds back from users protecting their data is a bad, and anything that moves them forward in protecting their data is a good. iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]